Hi!
We are running a VPS hosting behind mikrotik rb2011 router.
Its in bridge mode because every customer has his own IP address.
Nowdays one of the customer is getting DDOS but the mikrotik CPU is 100%… so all of the services running behind the mikrotik is nearly dead.
So 1 PORT is used to connect our “service” to the internet provider switch, and another two port is for the two Blade servers.
The virtual machines on this two servers has own dedicated IP address, and we are using the mikrotik to bridge the connection between the server room switch and our servers.
Is there any way to solve the problem? Maybe to change the router to a stronger one?
I would run at least a RB4011 these days. However, you’ll also need to use the raw table to drop as fast as you can. Ultimately, however, you may need upstream (your ISP) support as they will most likely always be able to do it better than your equipment.
Agreed. The 2011 is quite old and weak by today’s standards. I have one at home. If I view my address lists in Winbox the CPU goes to 100% trying to keep updating the addresses (I have ~30,000 addresses in address-lists).
If your uplink is full, there is nothing YOU can do on your own.
If you’re somehow lucky and the attack is directed at the specific client, ask the upstteams (and or its upstreams) to null-route / blackhole the ip.
Client will be Fxxxxx, but the rest of the network will live.
If it’s your full range, there are services to which you could reroute your full traffic and sanitise it of DDOS.